https://securityheaders.io will give a score of how well placed the HTTP headers are on a site ranging from A+ to F (not sure what the R rating is for). Headers are a powerful meta (invisible to the naked eye) data used a lot for website statistics and used in Google’s Analytics. This also means they can leak information such as when someone goes from one site to the another.
Below are some tips specifically HAProxy using sources of information below (with corrections to work with HAProxy 1.8).
The below extract using example below show the syntax to configure what is in Siddharth Deshpande however updated with corrections:
backend myBackend
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response add-header X-XSS-Protection "1; mode=block"
http-response add-header X-Content-Type-Options "nosniff"
http-response set-header Referrer-Policy no-referrer-when-downgrade
The only one I haven’t figured out yet is the content security policy.
For a simple like mine, the settings are fairly trival and using the material to explain what they do is fairly simple to add without violating the added security.
Securing haproxy and nginx via HTTP Headers
Setting Security Headers in Haproxy
Content Security Policy Cheat Sheet
[R] means the request was redirected (from HTTP to HTTPS for exemple)